Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1336 CNY

100%

denoland — Vulnerabilities & Security Advisories 40

Browse all 40 CVE security advisories affecting denoland. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Denoland operates as a technology company specializing in the Deno runtime, a modern JavaScript and TypeScript execution environment designed for server-side and command-line applications. While the runtime itself is robust, its ecosystem and associated tools have historically been subject to various security flaws. Recorded vulnerabilities frequently involve remote code execution, cross-site scripting, and privilege escalation issues, often stemming from improper input validation or insecure default configurations within third-party modules or bundled utilities. These weaknesses can allow attackers to execute arbitrary commands or bypass security controls in affected deployments. Although Deno emphasizes security by default, the complexity of its module registry and the rapid pace of development have led to a notable number of Common Vulnerabilities and Exposures. Organizations utilizing Deno must prioritize regular dependency updates and strict security auditing to mitigate these risks effectively.

Top products by denoland: deno std
CVE IDTitleCVSSSeverityPublished
CVE-2026-55517 Deno: Denial of service via non-ASCII bytes in WebSocket response headers — denoCWE-248 4.3 Medium2026-06-23
CVE-2026-44726 Deno: TLS retry copies stale upgrade hook, risking plaintext traffic — denoCWE-319 7.4 High2026-06-23
CVE-2026-49401 Deno Permission Bypass via Unicode Normalization Mismatch on macOS (APFS) — denoCWE-41 7.3 High2026-06-23
CVE-2026-49402 Deno: Command Injection via spawnSync & spawn on Windows — denoCWE-78 8.1 High2026-06-23
CVE-2026-49406 Deno: BYONM module resolution allows `package.json` main path traversal to bypass `--allow-read` restrictions — denoCWE-22 5.5 Medium2026-06-23
CVE-2026-49411 Deno Node TCPWrap numeric hostname aliases bypass --deny-net resolved-IP deny checks — denoCWE-284 6.5 Medium2026-06-23
CVE-2026-49983 Deno: process.loadEnvFile() bypasses env permission checks and mutates process.env with only read access — denoCWE-863 5.2 Medium2026-06-23
CVE-2026-49860 Deno: WebSocket API sandbox bypass via missing post-DNS check — denoCWE-918 5.2 Medium2026-06-23
CVE-2026-49859 Deno: `fetch()` API sandbox bypass via missing DNS resolution check — denoCWE-693 5.2 Medium2026-06-23
CVE-2026-49440 Deno: Miller-Rabin Primality Test Allows Zero Rounds — denoCWE-325 7.4 High2026-06-23
CVE-2026-32260 Command Injection via incomplete shell metacharacter blocklist in node:child_process (bypass of CVE-2026-27190 fix) — denoCWE-78 8.1 High2026-03-12
CVE-2026-27190 Deno has a Command Injection via Incomplete shell metacharacter blocklist in node:child_process — denoCWE-78 8.1 High2026-02-20
CVE-2026-22864 Deno has an incomplete fix for command-injection prevention on Windows — case-insensitive extension bypass — denoCWE-77 8.1 High2026-01-15
CVE-2026-22863 Deno node:crypto doesn't finalize cipher — denoCWE-325 7.5 -2026-01-15
CVE-2025-61787 Deno is Vulnerable to Command Injection on Windows During Batch File Execution — denoCWE-77 8.1 High2025-10-08
CVE-2025-61786 Deno's --deny-read check does not prevent permission bypass — denoCWE-269 3.3 Low2025-10-08
CVE-2025-61785 Deno's --deny-write check does not prevent permission bypass — denoCWE-266 5.3AIMediumAI2025-10-08
CVE-2025-55195 @std/toml Prototype Pollution in Node.js and Browser — stdCWE-1321 7.3 High2025-08-14
CVE-2025-48935 Deno has --allow-read / --allow-write permission bypass in `node:sqlite` — denoCWE-863 8.1AIHighAI2025-06-04
CVE-2025-48934 Deno.env.toObject() ignores the variables listed in --deny-env and returns all environment variables — denoCWE-201 7.5AIHighAI2025-06-04
CVE-2025-48888 Deno run with --allow-read and --deny-read flags results in allowed — denoCWE-863 7.1AIHighAI2025-06-04
CVE-2025-24015 Deno's AES GCM authentication tags are not verified — denoCWE-347 9.8AICriticalAI2025-06-03
CVE-2025-21620 Deno's authorization headers not dropped when redirecting cross-origin — denoCWE-200 7.5 High2025-01-06
CVE-2024-32468 Improper neutralization of input during web page generation ("Cross-site Scripting") in deno_doc HTML generator — denoCWE-79 5.4 Medium2024-11-25
CVE-2024-52793 XSS vulnerability in serveDir API of @std/http/file-server on POSIX systems — stdCWE-79 5.4 -2024-11-22
CVE-2024-37150 Private npm registry support used scope auth token for downloading tarballs — denoCWE-200 7.6 High2024-06-06
CVE-2024-34346 Deno contains a permission escalation via open of privileged files with missing `--deny` flag — denoCWE-863 8.5 High2024-05-07
CVE-2024-32477 Race condition when flushing input stream leads to permission prompt bypass — denoCWE-78 7.7 High2024-04-18
CVE-2024-27936 Deno interactive permission prompt spoofing via improper ANSI stripping — denoCWE-150 8.8 High2024-03-06
CVE-2024-27935 Deno's Node.js Compatibility Runtime has Cross-Session Data Contamination — denoCWE-488 7.2 High2024-03-06

This page lists every published CVE security advisory associated with denoland. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.